Facing issue with creating new cosmos db context

[vasanthkumar258]

Issue

Facing issue with creating new cosmos db context - followed documentaion at Get-Module -Name CosmosDB command - $entraIdOAuthToken = Get-CosmosDbEntraIdToken -Endpoint 'https://cosmos-cxpes-ppe-hipri.documents.azure.com'

error - Get-CosmosDbEntraIdToken: The term 'Get-CosmosDbEntraIdToken' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Then i checked the implementation and are internally calling command- $token = (Get-AzAccessToken -ResourceUrl 'https://cosmos-cxpes-ppe-hipri.documents.azure.com').Token

and running above script is giving the below error

Get-AzAccessToken: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request)

Content: {"error":{"code":"AudienceNotSupported","message":"Audience https://cosmos-cxpes-ppe-hipri.documents.azure.com/ is not a supported MSI token audience. Supported audiences: https://management.core.windows.net/,https://management.azure.com/,https://graph.windows.net/,https://vault.azure.net,https://datalake.azure.net/,https://outlook.office365.com/,https://graph.microsoft.com/,https://batch.core.windows.net/,https://analysis.windows.net/powerbi/api,https://storage.azure.com/,https://rest.media.azure.net,https://api.loganalytics.io,https://ossrdbms-aad.database.windows.net,https://www.yammer.com,https://digitaltwins.azure.net,0b07f429-9f4b-4714-9392-cc5e8e80c8b0,822c8694-ad95-4735-9c55-256f7db2f9b4,https://dev.azuresynapse.net,https://database.windows.net,https://quantum.microsoft.com,https://iothubs.azure.net,2ff814a6-3304-4ab8-85cb-cd0e6f879c1d,https://azuredatabricks.net/,ce34e7e5-485f-4d76-964f-b3d2b16d1e4f,https://azure-devices-provisioning.net,https://managedhsm.azure.net,499b84ac-1321-427f-aa17-267ca6975798,https://api.adu.microsoft.com/,https://purview.azure.net/,6dae42f8-4368-4678-94ff-3960e28e3630,https://cognitiveservices.azure.com,48ac35b8-9aa8-4d74-927d-1f4a14a0b239,46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2"}}

Headers: X-Powered-By: REDACTED ETag: W/"4d1-rUhcpPTlFmqXlRv/iJgNoMnWvCs" Date: Wed, 22 May 2024 17:08:40 GMT Connection: keep-alive Keep-Alive: REDACTED Content-Type: application/json; charset=utf-8 Content-Length: 1233

See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot Before submitting your issue for the CosmosDB project, please take a moment to provide the following details:

• [ ] Version of PowerShell you're using - LAtest
• [ ] PowerShell host you're using (eg. Console Host, ISE, Visual Studio) - Azure Cli
• [ ] Operating system you're running - windows
• [ ] Version of CosmosDB PowerShell Module you're using (use Get-Module -Name CosmosDB) - 4.7.0

Thanks for contributing your feedback and support! You can optionally submit a Pull Request against this project, if you have a fix you'd like to share.

[PlagueHO]

Hi @vasanthkumar258, The function Get-CosmosDbEntraIdToken is only available in the v5.0.0+ version of the CosmosDB module. There is only a preview version of the module published to PowerShell Gallery so far. I plan to publish a full release once my Azure credit has rolled over (so the integration tests can run).

What version of the Az.Account module is installed? The v5.0.0 version of the module depends on (and will automatically install) v2.19.0. I haven't tested with earlier versions of this module.

[vasanthkumar258]

@PlagueHO, what about this issue Get-AzAccessToken: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request)

Content: {"error":{"code":"AudienceNotSupported","message":"Audience https://cosmos-cxpes-ppe-hipri.documents.azure.com/ is not a supported MSI token audience. Supported audiences: https://management.core.windows.net/,https://management.azure.com/,https://graph.windows.net/,https://vault.azure.net,https://datalake.azure.net/,https://outlook.office365.com/,https://graph.microsoft.com/,https://batch.core.windows.net/,https://analysis.windows.net/powerbi/api,https://storage.azure.com/,https://rest.media.azure.net,https://api.loganalytics.io,https://ossrdbms-aad.database.windows.net,https://www.yammer.com,https://digitaltwins.azure.net,0b07f429-9f4b-4714-9392-cc5e8e80c8b0,822c8694-ad95-4735-9c55-256f7db2f9b4,https://dev.azuresynapse.net,https://database.windows.net,https://quantum.microsoft.com,https://iothubs.azure.net,2ff814a6-3304-4ab8-85cb-cd0e6f879c1d,https://azuredatabricks.net/,ce34e7e5-485f-4d76-964f-b3d2b16d1e4f,https://azure-devices-provisioning.net,https://managedhsm.azure.net,499b84ac-1321-427f-aa17-267ca6975798,https://api.adu.microsoft.com/,https://purview.azure.net/,6dae42f8-4368-4678-94ff-3960e28e3630,https://cognitiveservices.azure.com,48ac35b8-9aa8-4d74-927d-1f4a14a0b239,46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2"}}

[PlagueHO]

Hi @vasanthkumar258 - the function Get-AzAccessToken is provided by the Az.Account module - can you run Get-Module -Name Az.Account to see what version is being used?

[vasanthkumar258]

Hey @PlagueHO , I am running v2.19.0 of Az.Accounts in Azure cloud shell.. But in documentation its mentioned as Az.Account.. But when I tried to install this I got an error

C:\WINDOWS\system32> Install-Module -Name Az.Account PackageManagement\Install-Package : No match was found for the specified search criteria and module name 'Az.Account'. Try Get-PSRepository to see all available registered module repositories. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 char:21

• ... $null = PackageManagement\Install-Package @PSBoundParameters

• 
  + CategoryInfo          : ObjectNotFound: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Ex
  ception
  + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

[vasanthkumar258]

Hey @PlagueHO , I installed a prerelease version.. but when I execute the "**$entraIdOAuthToken = Get-CosmosDbEntraIdToken -Endpoint 'https://cosmos-cxpes-ppe-*****.documents.azure.com'**" but still getting below error

Get-AzAccessToken: ManagedIdentityCredential authentication failed: Service request failed. Status: 400 (Bad Request) Content: {"error":{"code":"AudienceNotSupported","message":"Audience https://cosmos-cxpes-ppe-*****.documents.azure.com is not a supported MSI token audience. Supported audiences: https://management.core.windows.net/,https://management.azure.com/,https://graph.windows.net/,https://vault.azure.net,https://datalake.azure.net/,https://outlook.offic e365.com/,https://graph.microsoft.com/,https://batch.core.windows.net/,https://analysis.windows.net/powerbi/api,https://storage.azure.com/,https://rest.media.azure.net ,https://api.loganalytics.io,https://ossrdbms-aad.database.windows.net,https://www.yammer.com,https://digitaltwins.azure.net,0b07f429-9f4b-4714-9392-cc5e8e80c8b0,822c8 694-ad95-4735-9c55-256f7db2f9b4,https://dev.azuresynapse.net,https://database.windows.net,https://quantum.microsoft.com,https://iothubs.azure.net,2ff814a6-3304-4ab8-85 cb-cd0e6f879c1d,https://azuredatabricks.net/,ce34e7e5-485f-4d76-964f-b3d2b16d1e4f,https://azure-devices-provisioning.net,https://managedhsm.azure.net,499b84ac-1321-427 f-aa17-267ca6975798,https://api.adu.microsoft.com/,https://purview.azure.net/,6dae42f8-4368-4678-94ff-3960e28e3630,https://cognitiveservices.azure.com,48ac35b8-9aa8-4d 74-927d-1f4a14a0b239,46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2"}} Headers: X-Powered-By: REDACTED ETag: W/"4d1-rUhcpPTlFmqXlRv/iJgNoMnWvCs" Date: Thu, 23 May 2024 05:44:22 GMT Connection: keep-alive Keep-Alive: REDACTED Content-Type: application/json; charset=utf-8 Content-Length: 1233 See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot

[PlagueHO]

Hi @vasanthkumar258 - hmm. Have you assigned a data plane RBAC role to the Cosmos DB account as per this doc: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac

For example, we do this in the integration tests here: https://github.com/PlagueHO/CosmosDB/blob/main/tests/Integration/CosmosDB.integration.Tests.ps1#L887

I'm wondering if Get-AzAccessToken will only return a token with the Cosmos DB audiences if the identity has a data plane RBAC role on the Cosmos DB. I never tested it without.

[vasanthkumar258]

@PlagueHO , There is RBAC role assigned even then I am getting above issue

[PlagueHO]

Hi @vasanthkumar258 - ah, I see the issue. These are Management RBAC assignments. You need to do Data plane RBAC assignments which unfortunately can't be done via the Azure Portal. This page doesn't make that very clear.

For example: the Contributor assigned to an Azure Cosmos DB account does not give Data Plane access to the Cosmos DB.

Instead, you need to use the New-AzCosmosDBSqlRoleAssignment to assign a Data Plane RBAC role to the account or database or container. For example:

$accountName = '<your Cosmos DB account>'
$resourceGroup = '<your RG containing Cosmos DB>'
$roleDefinitionId = '00000000-0000-0000-0000-000000000002'  # This is built-in Cosmos DB Built-in Data Contributor role
$principalId = '<This object ID for the user/service principal/group>'

New-AzCosmosDBSqlRoleAssignment `
    -AccountName $accountName `
    -ResourceGroupName $resourceGroupName `
    -RoleDefinitionId $roleDefinitionId ` 
    -Scope "/" `
    -PrincipalId $principalId

You can also create custom RBAC data plane roles and assign them via:

• Bicep/ARM/TF
• Azure CLI or Azure PowerShell.

Does this make sense?

I did a demo of this (was using a C# client but works the same) a few days ago and here is my sample PowerShell I was using to configure the Account and containers: https://github.com/PlagueHO/whats-new-in-cosmos-db-2024/blob/main/configurecosmosdbrbac.ps1#L63

[PlagueHO]

I've raised a separate issue to improve the docs to make this clearer. I might also see if I can work with Cosmos DB team to improve their docs (it's not super clear there either).

Just some more info. These are the built-in Data plane RBAC roles:

But you won't find them in Azure RBAC in the Portal -they're only seen in PowerShell/Az CLI via the:

Get-AzCosmosDBSqlRoleDefinition `
    -AccountName $accountName `
    -ResourceGroupName $resourceGroupName

[PlagueHO]

@vasanthkumar258 - did you get a chance to see if this resolved your issue?